• 0

# Help me With Instruction logic

## Question

Can anybody explain logic here

It's ARM instruction set:

Here dword_36BD38 is uninitialized variable in .bss section

LDR       R3, =(dword_36BD38 - 0x19D86C)

ADD      R3, PC, R3  ; dword_36BD38

CMP      R0, #0

STR       R0, [R3]

MOVLT   R2, #0x7FFFFFFF

STRLT     R2, [R3]

I have a little idea what's happening here but couldn't understand whole logic!

Edited by Un_Known

## Recommended Posts

• 0
```0000	LDR		R3, =(dword_36BD38 - 0x19D86C) -- Load offset to R3
0004	ADD		R3, PC, R3  ; dword_36BD38 -- R3 = PC + Offset (R3)
0008	CMP		R0, #0 -- Check if R0 value equal to 0
000C	STR		R0, [R3] -- Store R0 value into R3 (R3 = dword_36BD38)
0010	MOVLT	R2, #0x7FFFFFFF -- If R0 value less than 0, then put (0x7FFFFFFF) 2147483647 into R2.
0014	STRLT	R2, [R3] -- If R0 value less than 0, then store R2 value which is 2147483647, into R3 (R3 = dword_36BD38)```

Conclusion is, if R0 value less than 0.. then put 2147483647 into bss:dword_36BD38.

Anyway, if you not understand about the logic. F5 hotkey may come handy.

##### Share on other sites

• 0

I have learnt a lot after joining GG forum.

Thnx to @saiaapiz @Enyby

##### Share on other sites

• 0

It generally means that value of coins would be highest (because 2147483647 is largest dword) only when value in R0 is less than 0

Okk if  I change MOVLT to MOV

and STRLT to STR

then value will always be 2147483647 because it will bypass condition check

is it correct

and plz elaborate this part =(dword_36BD38 - 0x19D86C)

couldn't understand this That

What would be value in R3 register

Edited by Un_Known
##### Share on other sites

• 0
Quote

Okk if  I change MOVLT to MOV

and STRLT to STR

then value will always be 2147483647 because it will bypass condition check

is it correct

Yes, you're correct.

Quote

and plz elaborate this part =(dword_36BD38﻿ - 0x19D86C)

This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

Quote

What would be value in R3 register﻿

##### Share on other sites

• 0
1 minute ago, saiaapiz said:

Yes, you're correct.

This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

ohh thnx buddy once again sorry for disturbing you

##### Share on other sites

• 0
1 hour ago, saiaapiz said:

Yes, you're correct.

This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

What is happening here can u explain? I have highlighted offset pushed to R1 with cursor?

what type of sign is between ahighscore and offset is it just a dash ? What is purpose of ahighscore here?

Any reference guide for arm instruction set ?

Edited by Un_Known
##### Share on other sites

• 0

Above question can be ignored Updated:

I think it is offset is loaded into R1 after subtraction between ahighscore and 0x19D8B4 and their addresses being subtracted!

so Here ahighscore has address =>00319CEC

so 00319CEC - 0x19D8B4 =17C438

So R1, = 17C438 would it be an offset?

Am.i correct or Wrong?

Edited by Un_Known
##### Share on other sites

• 0

Offset from PC in LDR location. Useless in any other place.

##### Share on other sites

• 0
2 hours ago, Enyby said:

Offset from PC in LDR location. Useless in any other place.

Yep, Ida make we confuse by looking its value pointing directly to target address.

Actually, true opcode look like this LDR R0, [PC, #0x4]

Idk how to explain it, you can find arm opcode documentation on google. They describe how each instruction work.

##### Share on other sites

• 0

This is how the ARM architecture works. Most addresses are not absolute, but relative, relative to the PC. This is done to save space in instructions. The instruction size is 4 bytes. The size of the 32-bit pointer is also 4 bytes. An absolute address almost always requires 4 bytes, since the code can be located in different places. A relative address can be encoded with 2 or 3 bytes. This will give the opportunity to refer to the memory near the code, where this code would not be located.
And since .bss is not far from .code (.text), this is enough.

##### Share on other sites

• 0

Let me explain this real quick.

```Explanation:
* PC = (Current Instruction Address + 0x8)

00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
00000008         MOV     R1, #0x1234; Move 0x1234 into R1
0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
00000014         ALIGN 0x10
00000020 MyValue DCD 0x0
00000024 Offset  DCD 0x14```

You can find lot of information here, The ARM instruction set

Edited by saiaapiz
##### Share on other sites

• 0
50 minutes ago, saiaapiz said:

Let me explain this real quick.

```
Explanation:
* PC = (Current Instruction Address + 0x8)

00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
00000008         MOV     R1, #0x1234; Move 0x1234 into R1
0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
00000014         ALIGN 0x10
00000020 MyValue DCD 0x0
00000024 Offset  DCD 0x14```

You can find lot of information here, The ARM instruction set

Thnx buddy for putting a lot of effort just to helpme!

##### Share on other sites

• 0
3 hours ago, saiaapiz said:

Let me explain this real quick.

```
Explanation:
* PC = (Current Instruction Address + 0x8)

00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
00000008         MOV     R1, #0x1234; Move 0x1234 into R1
0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
00000014         ALIGN 0x10
00000020 MyValue DCD 0x0
00000024 Offset  DCD 0x14```

You can find lot of information here, The ARM instruction set

Why pc is pointing to 0x8 shouldn't it be pointing to  0x4 from current address!

As next  instruction would always be at 0x4 from current address

as instructions are of 32 bits (exclude thumb instruction set here )@saiaapiz

Edited by Un_Known
##### Share on other sites

• 0
19 hours ago, Un_Known said:

Why pc is pointing to 0x8 shouldn't it be pointing to  0x4 from current address!

As next  instruction would always be at 0x4 from current address

as instructions are of 32 bits (exclude thumb instruction set here )@saiaapiz

Idk, it just works.

I didn't read hundred pages of arm documentation.

##### Share on other sites

• 0
On 6/27/2019 at 2:30 AM, Un_Known said:

Why pc is pointing to 0x8 shouldn't it be pointing to  0x4 from current address!

As next  instruction would always be at 0x4 from current address

as instructions are of 32 bits (exclude thumb instruction set here )@saiaapiz

So finally I Got answer to this thnx to @saiaapiz .

Posting Answer here because it can help many!

The Program Counter is automatically incremented by the size of the instruction executed. This size is always 4 bytes in ARM state and 2 bytes in THUMB mode. When a branch instruction is being executed, the PC holds the destination address. During execution, PC stores the address of the current instruction plus 8 (two ARM instructions) in ARM state, and the current instruction plus 4 (two Thumb instructions) in Thumb(v1) state. This is different from x86 where PC always points to the next instruction to be executed.

Edited by Un_Known

## Create an account

Register a new account

• ### Similar Content

• #### Help

By tomorucih,

• 1,401 views
• #### HELP

By MASTERKILLAHSV,

• 1,005 views
• #### Help

By E33or404,

• 0 replies
• 480 views
• #### Help

By Rocinante,

• 0 replies
• 503 views
• #### Help

By qesokekee,